Cloud KMS FAQ

About Cloud KMS

What is Cloud KMS? What can it do?

Cloud KMS is a cloud-hosted key management service that lets you
manage encryption for your cloud services the same way you do on-premises. You
can generate, use, rotate, and destroy AES-256 encryption keys.
Cloud KMS is integrated with Cloud Identity and Access Management and Cloud Audit Logging so
that you can manage permissions on individual keys, and monitor how they are
used.

Can I store secrets?

Using Cloud KMS, you can encrypt secrets that you store elsewhere.
As an example, you can store a secret in a Cloud Storage bucket. For
details, see Storing secrets.

Is there an SLA?

How do I provide product feedback?

How do I provide documentation feedback?

While viewing Cloud KMS documentation, click Send feedback near
the top right of the page. This will open a feedback form.

If I need help, what are my options?

We invite our users to post their questions on Stack Overflow. Along with
the active Stack Overflow community, our team actively monitors Stack Overflow
posts and answers questions with the tag google-cloud-kms.

Is there a limit on the number of keys I can have?

Keys

What kind of key does Cloud KMS generate?

How is key material generated?

Cloud KMS keys are generated using Google’s common cryptographic
library using a random number generator (RNG) built by Google. This
RNG is based on NIST 800-90Ar1 CTR-DRBG and generates an AES-256 key. For
more details, see Key management.

Are keys HSM-backed?

Can I auto-delete keys?

Can I auto-rotate keys?

Does key rotation re-encrypt data? If not, why?

Key rotation does not automatically re-encrypt data. When you decrypt data,
Cloud KMS knows which key version to use for the decryption. As
long as a key version is not disabled or destroyed, Cloud KMS will
be able to use the key version for the decryption.

Why can't I delete key or key rings?

To prevent resource name collisions, key ring and key resources CANNOT be
deleted. Key versions also cannot be deleted, but key version material can be
destroyed so that the resources can no longer be used. For more information,
see Lifetime of objects.

Can I export keys?

No. Keys are not exportable from Cloud KMS by design. All
encryption and decryption with these keys must be done within
Cloud KMS. This helps prevent leaks and misuse, and enables
Cloud KMS to emit an audit trail when keys are used.

Can I import keys?

No.

How long after I destroy a key version can I get it back?

After you schedule a key version for destruction, you have 24 hours before the
key version is actually destroyed. During that time, if needed you can restore
the key version.

Can I change the 24 hour period before a scheduled key is destroyed?

No.

When I make changes to a key, how quickly do the changes take effect?

Some operations to Cloud KMS resources are strongly consistent,
while others are eventually consistent and may take up to a couple of hours to
propagate.

For example, creating a key ring or key, or enabling a key version, are strongly
consistent operations. Changing the state of an existing key or disabling a key
version are eventually consistent operations.

When you disable a user's Cloud IAM access to a Cloud KMS
resource, it can take up to 60 seconds for the change to propagate.

Authorization and authentication

How do I authenticate to the Cloud KMS API?

How clients authenticate may vary a bit depending on the platform on which the
code is running. For details, see Accessing the API.

What Cloud IAM roles should I use?

To enforce the principle of least privilege, ensure that the user and service
accounts in your organization have only the permissions essential to performing
their intended functions. For more information, see Separation of duties.

When I remove a Cloud IAM permission, how quickly is it removed?

Removal of a permission should be in effect in less than one hour.

Miscellaneous

What is additional authenticated data, and when would I use it?

Additional authenticated data (AAD) is any string that you pass to
Cloud KMS as part of an encrypt or decrypt request. It is used as
an integrity check and can help protect your data from a confused deputy
attack. For more information, see Additional authenticated data.

Are data access logs on by default? How do I enable data access logs?

How do Cloud KMS keys relate to service account keys?

Service account keys are used for service-to-service authentication within
Google Cloud Platform. Service account keys are unrelated to Cloud KMS keys.

How do Cloud KMS keys relate to API keys?

API keys are a simple encrypted string that can be used when calling
certain APIs that don't need to access private user data and are used to track
API requests associated with your project for quota and billing. API keys are
unrelated to Cloud KMS keys.